In terms of useful results, Bug Bounty Programs are typically 90% cheaper than traditional pentesting, according to one speaker at YesWeHack’s ‘Client Success Stories’ event in Stockholm.
The presenter, an application security engineer from a Scandinavian financial services company, also hailed the fact that financial input tracks actionable output – specifically the number and severity of valid reports. “There’s no cheaper way of getting security testing,” he said. “It’s a no-brainer.”
Bug Bounty had been an “incredibly useful asset” overall, he continued, and would only become more useful across the economy in the age of digital transformation since hunters focus on internet-exposed assets.
Offence in depth
Bug Bounty deepens cyber-defences by adding a valuable, complementary layer to offensive security operations.
The speaker noted how Bug Bounty mostly supplements rather than duplicates the results of penetration tests, because the former specialises in internet-facing assets, while the latter can focus more on internal networks.
And, drawing on tens of thousands of hunters, Bug Bounty clients can more easily find testing expertise specific to their targets than is typically the case through conventional pentests.
The upshot for the YesWeHack customer in question was the security team being “flabbergasted” at some of the hunters’ discoveries. “Never in a million years” would they have found one particular misconfiguration issue internally, recalled the AppSec engineer delivering the presentation.
Sometimes hunters did find bugs that had already been discovered internally, but which hadn’t yet been fixed. Yet once reported through the Bug Bounty pipeline, they were promptly remediated, the speaker noted.
Steps to Bug Bounty
The Bug Bounty success story began (and it’s a familiar story) with a pair of good-faith bug reports – one submitted externally, another internally. Recognising the need for a secure, structured reporting mechanism, they duly launched a Vulnerability Disclosure Policy (VDP).
Once the VDP was in place, the move to paying researchers was “not a big jump”, insisted the AppSec engineer – albeit this was not a universal perception. “Won’t this just encourage people to hack us?” was one misgiving encountered at boardroom level.
The speaker simply pointed out that traffic logs showed malicious attacks were happening on a regular basis anyway. At least ethical hackers would mitigate the risk of attacks succeeding – and halt their activities in the unlikely event of services being unwittingly disrupted.
Choosing YesWeHack
Once boardroom buy-in was secured, YesWeHack’s strict compliance with EU data security rules gave them an edge over rival platforms.
But it was endorsements from peers that sealed the deal for a sometimes misunderstood type of security testing and what the speaker conceded is a “very conservative” financial services industry.
“Wow, we need this,” they said, having seen a Swiss Post presentation about their Bug Bounty Program (BBP) and meeting another YesWeHack client, Scandinavian telco Telenor.
After three months, the pilot was so successful they had “no doubt” about continuing.
Overcoming conservatism to go public
The organisation’s conservatism is now the biggest barrier to making the program public, admitted the speaker.
Fortunately, the biggest worry about going public – that the flow of bugs might become an unmanageable flood – is abating as the private program expands, he added. The current program continues to cope well with a gradually growing number of hunters, and the leap to accepting reports from all registered hunters seems ever-smaller and less daunting.
The speaker was currently “fighting” to persuade decision-makers to launch a public Bug Bounty Program, in order to access the full spectrum of hacking skills and publicly demonstrate their commitment to security.
Intriguingly, he believed going public might even aid recruitment in a fiercely competitive market for talented developers, since many are keen to learn more about application security. The Bug Bounty Program findings also inform security training programs and raise the security team’s profile internally, said the engineer.
Happy hunters
The speaker echoed advice expressed in many of our customer success stories: start small (with limited scopes and few hunters) to prevent an overload of reports; periodically add scopes, and sometimes increase rewards, to sustain hunter interest; and treat hunters well.
“The way you talk to hunters can be a meaningful factor in whether they come back,” especially if severity is lower than anticipated, said the speaker. Thank them, compliment them and fix their bugs promptly, he advised.
Hunters will also benefit from simpler rules of engagement if you create separate programs for “very different types of systems”. YesWeHack allows customers to create as many programs as they need for no additional cost.
Scopes and targets
There were some invaluable insights around choosing scopes and providing infrastructure that mitigates risk.
For instance, the speaker’s fellow BBP managers were urged to beware reliance on third parties. Can we count on Microsoft promptly remediating an Office 365 endpoint issue, he asked?
He also pointed out that the UX is a commonly abused attack vector that demands attention. Why not spin up a replica application, separate from production environments, to eliminate risk?
Embrace the support
Overall, the workload has been greater “than expected – not an incredible amount, but you have to be active in your program management”.
It’s therefore wise to accept YesWeHack’s assistance, including our recommendations for choosing hunters with relevant skills. The in-house triage service is worth leveraging too, “to filter out chaff, all the noise”, said the speaker. This “first line support” was “incredibly useful” for his employer, especially early on.
YesWeHack’s “handholding” helped them keep the flow of bugs manageable and stay within budget, as has testing assets internally before adding them to the scopes. “Pluck the [easy] weeds in your garden before bringing in a professional weed hunter,” advised the speaker.
YesWeHack has an office in Stockholm dedicated to catering to its clients – 20 and growing – in the Nordic-Baltic region. We also have a dedicated hacker community manager for the region, who caters to the needs of more than 1,500 vetted researchers in the Nordic-Baltic countries.
Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management Platform? Click the button below to reach out to us.
If you would like to discover another of our case studies, you can check out the Bug Bounty success story from risk-management giant DNV.